Its important to point out only some versions of CAPTCHA can be beaten. CAPTCHA model is always going through revisions to make it harder for software to solve the challenge. In some cases a human can't even solve it, I had to attempt a CAPTCHA challege 30 times, before I got it right.
–
RamhoundJan 9 '13 at 15:37

3 Answers
3

CAPTCHAs are a trade-off between the patience of the attackers, and the patience of the normal users. Even if they can be beaten, they still serve their purpose if they slow down attackers sufficiently to discourage at least some of them, while not frightening too many potential users.

Of course, as is customary in IT, a lot of systems are used and deployed and adopted because of cargo cult. CAPTCHAs are fashionable and this is sufficient to ensure their widespread usage.

Best way to think of it, imo, is as a way to prioritise your time. If you can block 85% of automated bots with a CAPTCHA, that means you only have to do manual work for the other 15%, rather than all of them.
–
PolynomialJan 8 '13 at 7:11

But couldn't there be a better way of blocking attackers? Is there any that is existent?
–
user18489Jan 8 '13 at 22:54

there is no automated turing test so there is no way to block all automated attackers
–
ratchet freakJan 8 '13 at 23:51

Lets not forget crowd-sourcing! Just set up a free porn site with strategically placed remote CAPTCHAs and have your visitors solve them to remove them.
–
lynksApr 15 '13 at 12:24

Everything (everything) in security is balanced against cost. The purpose of CAPTCHA, just like the purpose of encryption, the purpose of physical security, the purpose of passwords, and the purpose of virtually every other security measure[*] is to increase the cost of circumvention, not to make circumvention impossible.

The intention is, specifically, to increase the cost of circumvention to above the value of circumvention. A good example of an effective application is captchas on blog comments. If comments can be posted by low-cost automated processes, then spam is inevitable; the value of the spam comments outweights the nearly negligible cost. But introducing a CAPTCHA step dramatically increases the the cost in both computer resources and (more importantly) software availablity to such a point that attempting to solve this problem does not make financial sense for the attacker.

As a result, CAPTCHAs, despite their relatively unsophisticated approach, typically eliminate nearly 100% of blog spam for most sites.

--[*] - Except for 256-bit symmetric keys. That's just plain and simple impossible to brute-force at any price given the current limits of thermodynamics.

CAPTCHAS are often used by sites not requiring an account (username, password). The content may then be trivially copied and used by another site. A CAPTCHAS is the equivalent of a deadbolt. It sends the thief to the neighbor's house instead of yours, because yours is slightly harder to break into.